Mumbai: The Reserve Bank of India (RBI) has removed the so-called two-factor authentication (or TFA) requirement for online card transactions involving sums up to Rs2,000, in a move aimed at simplifying and encouraging electronic payments.
The move will likely help cab aggregators, online movie ticket sellers and even e-commerce marketplaces.
Currently, any online transaction involving a card requires users to first enter card details on the merchant’s payment gateway, wait for an one-time password (OTP) to be sent to their mobile phone, and then use this number to complete the purchase.
To be sure, discarding TFA for purchases up to Rs2,000 is an opt-in service, which means that customers will have to specifically opt for it.
RBI said that card network providers and banks will have to inform customers about the availability of such services and take their consent.
Customers opting for this facility will go through a one-time registration process requiring entry of card details and additional factor authentication by the issuing bank, RBI’s notification said.
“We would have to wait and see how the registration process will come up, but it should be largely online,” said Sangram Singh, head of card and payments business, Axis Bank.
Banks and card networks will be free to allow their customers set lower transaction limits, RBI said. They will also have to indicate the maximum liability on the customer (if any) at the time of registration and educate customers that it’s their responsibility to report any frauds while transacting, the regulator added.
Vijay Jasuja, chief executive officer, SBI Cards Pvt. Ltd, says that the central bank’s intent is to provide a level playing field to everyone in the payments ecosystem.
“As of now, customers can make payments using mobile wallets without a two-factor authentication. If you provide a facility to one company then it must be provided to everyone,” Jasuja said.
App-based payments service providers say the move will boost digital transactions.
“We welcome the timely move. This will definitely encourage more users to switch to debit and credit cards for online payments,” said a spokesperson for cab-hailing service Ola.
Experts say that customers are likely to welcome the move as well. “Service providers will have to be careful in ensuring that security in these services is maintained. Multiple fraudulent small value transactions can add up to a large amount, if card details are compromised,” said Bhavik Hathi, managing director, Alvarez & Marsal India, a consultancy.
In 2014, US-based cab services provider Uber was pulled up by RBI for providing payments without a two-factor authentication process. RBI had then said all transactions, including electronic ones, involving credit cards issued in India for goods or services in the country must have an additional authentication system at each point of sale.
In May 2015, RBI said that two-factor authentication was not necessary for transactions up to Rs2,000 through contactless cards. However, such cards constitute a minuscule proportion of all debit cards issued in India.
RBI eases authentication norms for online card transactions up to Rs2,000 - Livemint
The move will likely help cab aggregators, online movie ticket sellers and even e-commerce marketplaces.
Currently, any online transaction involving a card requires users to first enter card details on the merchant’s payment gateway, wait for an one-time password (OTP) to be sent to their mobile phone, and then use this number to complete the purchase.
To be sure, discarding TFA for purchases up to Rs2,000 is an opt-in service, which means that customers will have to specifically opt for it.
RBI said that card network providers and banks will have to inform customers about the availability of such services and take their consent.
Customers opting for this facility will go through a one-time registration process requiring entry of card details and additional factor authentication by the issuing bank, RBI’s notification said.
“We would have to wait and see how the registration process will come up, but it should be largely online,” said Sangram Singh, head of card and payments business, Axis Bank.
Banks and card networks will be free to allow their customers set lower transaction limits, RBI said. They will also have to indicate the maximum liability on the customer (if any) at the time of registration and educate customers that it’s their responsibility to report any frauds while transacting, the regulator added.
Vijay Jasuja, chief executive officer, SBI Cards Pvt. Ltd, says that the central bank’s intent is to provide a level playing field to everyone in the payments ecosystem.
“As of now, customers can make payments using mobile wallets without a two-factor authentication. If you provide a facility to one company then it must be provided to everyone,” Jasuja said.
App-based payments service providers say the move will boost digital transactions.
“We welcome the timely move. This will definitely encourage more users to switch to debit and credit cards for online payments,” said a spokesperson for cab-hailing service Ola.
Experts say that customers are likely to welcome the move as well. “Service providers will have to be careful in ensuring that security in these services is maintained. Multiple fraudulent small value transactions can add up to a large amount, if card details are compromised,” said Bhavik Hathi, managing director, Alvarez & Marsal India, a consultancy.
In 2014, US-based cab services provider Uber was pulled up by RBI for providing payments without a two-factor authentication process. RBI had then said all transactions, including electronic ones, involving credit cards issued in India for goods or services in the country must have an additional authentication system at each point of sale.
In May 2015, RBI said that two-factor authentication was not necessary for transactions up to Rs2,000 through contactless cards. However, such cards constitute a minuscule proportion of all debit cards issued in India.
RBI eases authentication norms for online card transactions up to Rs2,000 - Livemint